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1.  Introduction 

A  delay  tolerant  network  (DTN)  provides  interoperable  communications  through  mobile 
nodes  with  the  characteristics  of  high  end-to-end  path  latency,  frequent  disconnection,  limited 
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resources  (e.g.,  battery,  computational  power,  bandwidth),  and  unreliable  wireless  transmission. 
Further,  for  DTNs  in  mobile  ad  hoc  network  (MANET)  environments,  we  also  face  additional 
challenges  due  to  a  lack  of  centralized  trusted  entity  and  this  increases  security  vulnerability  [5], 
For  a  sparse  MANET  DTN.  mobility-assisted  routing  based  on  store-carry-and-forward  method 
has  been  used.  That  is.  a  message  carrier  forwards  a  message  to  an  encountered  node  until  the 
message  reaches  a  destination  node.  In  MANET  DTN  environments,  it  is  important  to  select  a 
trustworthy  node  as  a  next  message  carrier  among  all  encountered  nodes  to  minimize  the  delay 
for  a  message  to  reach  a  destination  node  as  well  as  to  maximize  the  message  delivery  ratio.  In 
this  paper,  we  consider  a  MANET  DTN  in  the  presence  of  selfish  and  malicious  nodes  and 
propose  a  family  of  trust-based  routing  protocols  to  select  a  highly  trustworthy  next  message 
carrier  with  the  goal  of  maximizing  the  message  delivery  ratio  without  incurring  a  high  delay  or 
a  high  message  overhead. 

In  the  literature,  DTN  routing  protocols  based  on  encounter  patterns  have  been  investigated 
[2][10][1 1],  However,  if  the  predicted  encounter  does  not  happen,  then  messages  would  be  lost 
for  single-copy  routing,  or  flooded  for  multi-copy  routing.  Moreover,  these  approaches  could  not 
guarantee  reliable  message  delivery  due  to  the  presence  of  selfish  or  malicious  nodes.  The 
vulnerability  of  DTN  routing  to  node  selfishness  was  well  studied  in  [7][  17],  Several  recent 
studies  [  1 2][  1 4][  1 5]  considered  using  reputation  in  selecting  message  carriers  among 
encountered  nodes  for  DTNs.  Nevertheless,  [  1 2][  1 5 ]  assumed  that  a  centralized  entity  exists  for 
credit  management,  and  [14]  merely  used  reputation  to  judge  if  the  system  should  sw  itch  from 
reputation-based  routing  to  multipath  routing  when  many  selfish  nodes  exist. 

There  is  very  little  research  to  date  on  the  social  aspect  of  trust  management  for  DTN  routing. 
Social  relationship  and  social  networking  were  considered  as  criteria  to  select  message  carriers  in 
a  MANET  DTN  [6][8].  However,  no  consideration  was  given  to  the  presence  of  malicious  or 
selfish  nodes.  Very  recently,  [9]  considered  routing  by  socially  selfish  nodes  in  DTNs.  taking 
into  consideration  the  willingness  of  a  socially  selfish  node  to  forward  messages  to  the 
destination  node  because  of  social  ties.  Unlike  prior  work  cited  above,  in  this  paper,  we  integrate 
social  trust  and  Quality  of  Service  (QoS)  trust  into  a  composite  trust  metric  for  determining  the 
best  node  among  the  new  encounters  for  message  forwarding,  extending  from  our  preliminary 
work  [16].  We  consider  honesty  and  unselfishness  for  social  trust  to  account  for  a  node’s 
trustworthiness  for  message  delivery,  and  connectivity  for  QoS  trust  to  account  for  a  node's 


capability  to  quickly  deliver  the  message  to  the  destination  node.  By  assigning  various  weights 
associated  with  these  QoS  and  social  trust  properties,  we  form  a  class  of  DTN  routing  protocols, 
from  which  we  examine  two  versions  of  the  trust  management  protocol  in  this  paper:  an  equal- 
weight  QoS  and  social  trust  management  protocol  (called  trust-based  routing  for  short)  and  a 
QoS  trust  only  management  protocol  (called  connectivity-based  routing  for  short).  We  analyze 
and  compare  the  performance  characteristics  of  trust-based  routing  and  connectivity-based 
routing  protocols  with  epidemic  routing  [13]  and  PROPHET  [18]  for  a  DTN  consisting  of 
heterogeneous  mobile  nodes  with  vastly  different  social  and  networking  behaviors.  The  results 
indicate  that  our  trust-based  routing  protocols  outperform  PROPHET  and  can  approach  the  ideal 
performance  obtainable  by  epidemic  routing  in  delivery  ratio  and  message  delay,  without 
incurring  high  message  overhead.  Further,  integrated  social  and  QoS  trust-based  protocols  can 
effectively  trade  off  message  delay  for  a  significant  gain  in  message  delivery  ratio  and  message 
overhead  over  connectivity-based  routing  protocols. 

2.  System  Model 

We  consider  a  MANET  DTN  environment  with  no  centralized  trusted  authority.  Nodes 
communicate  through  multi-hops.  Every  node  may  have  a  different  level  of  energy  and  speed 
reflecting  node  heterogeneity.  We  differentiate  selfish  nodes  from  malicious  nodes.  A  selfish 
node  acts  for  its  own  interest.  So  it  may  drop  packets  arbitrarily  just  to  save  energy  but  it  may 
decide  to  forward  a  packet  if  it  has  good  social  ties  with  the  destination  node.  A  malicious  node 
acts  maliciously  with  the  intention  to  disrupt  the  main  functionality  of  the  DTN,  so  it  can  drop 
packets,  jam  the  wireless  channel,  perform  bad-mouthing  attacks  (provide  negative 
recommendations  against  good  nodes),  perform  good-mouthing  attacks  (provide  positive 
recommendations  for  other  colluding  malicious  nodes)  and  even  forge  packets.  In  the  paper,  we 
will  use  the  terms  a  malicious  node,  a  compromised  node,  and  a  bad  node  interchangeably. 

We  consider  the  following  model  to  describe  a  node's  behaviors.  If  a  node  is  selfish,  the 
speed  of  energy  consumption  is  slowed  down  and  vice  versa.  If  a  node  is  compromised,  the 
speed  of  energy  consumption  w  ill  increase  since  the  node  may  have  a  chance  to  perform  attacks 
which  may  consume  more  energy,  e.g.,  disseminating  bogus  messages.  We  also  consider 
redemption  mechanism  for  a  selfish  node  to  have  a  second  chance.  That  is.  a  selfish  node  may 
become  unselfish  again,  especially  when  its  energy  is  still  high  compared  with  its  peers.  We 


assume  that  each  node  has  a  pair  of  pre-distributed  public/private  keys  which  can  be  used  for 
packet  authentication  and  preventing  spoofing  attacks. 

A  node’s  trust  value  is  assessed  based  on  direct  observations  and  indirect  information  like 
recommendations.  The  trust  of  one  node  toward  another  node  is  updated  upon  encounter  events. 
Our  trust  metric  consists  of  two  trust  types:  QoS  trust  and  social  trust.  QoS  trust  is  evaluated 
through  the  communication  by  the  capability  of  a  node  to  deliver  messages  to  the  destination 
node.  We  consider  connectivity  to  measure  the  QoS  trust  level  of  a  node.  Social  trust  is  based  on 
social  relationships.  We  consider  unselfishness  and  honesty  to  measure  the  social  trust  level  of  a 
node.  Different  from  most  existing  encounter-based  routing  protocols  which  considered  only 
connectivity,  we  consider  social  trust  in  addition  to  QoS  trust  in  order  to  select  more  trustworthy 
message  carriers  among  encountered  nodes.  It  is  worth  noting  that  unselfishness  traditionally  has 
been  considered  as  a  QoS  trust  metric  [3]  to  measure  the  extent  to  which  a  node  cooperates  with 
other  nodes  to  conform  to  protocol  execution.  Here  we  consider  unselfishness  as  a  social  trust 
metric  to  measure  if  a  node  is  socially  willing  to  route  packets  passed  to  it  in  a  DTN.  thereby 
modeling  the  social  behavior  exhibited  by  a  selfish  node.  We  define  a  node's  trust  level  as  a  real 
number  in  the  range  of  [0,  1].  with  1  indicating  complete  trust,  0.5  ignorance,  and  0  complete 
distrust. 

There  is  no  centralized  intrusion  detection  system  (IDS)  as  it  may  be  infeasible  to  implement 
an  efficient  IDS  in  a  DTN  environment  because  of  the  sparseness  of  nodes  and  small  chances  for 
certain  nodes  to  encounter  or  connect  to  each  other.  Each  node  will  execute  the  trust  protocol 
independently  and  will  perform  its  direct  trust  assessment  toward  an  encountered  node  based  on 
specific  detection  mechanisms  designed  for  detecting  a  trust  property  X,  with  ^^connectivity, 
unselfishness,  or  honesty.  In  the  paper  we  will  discuss  these  specific  detection  mechanisms 
employed  in  our  protocol. 

3.  Trust  Management  for  Message  Routing 

The  trust  value  of  node  j  as  evaluated  by  node  /  at  time  t,  denoted  as  7) ;  (t),  is  computed  by  a 
weighted  average  of  connectivity,  honesty,  and  unselfishness  trust  components.  Specifically 
node  /  will  compute  7)y  (t)  by: 

Tu  (t)  =  Wl  Tie-COnnecavUy  (t)  +  W2  T^onnecttvUy  (f)  +  ^  ^honesty  (f)  +  ^  T  unself  is  hness  (f)  (1) 


where  Wjt  w2:  w3:  w4  is  the  weight  ratio  with  Wj  +  vv2  +  vv3  +  vv4  =1 .  Of  these  trust  components 
(or  properties)  in  Equation  1 , 7)*  connectwuy  (j)  js  about  node  fs  belief  in  node  fs  encounter 
connectivity  to  node  j,  representing  the  delay  of  node  i  passing  the  message  to  node  j, 
jd-connectivity  ^  js  about  node  f  s  belief  in  node  fs  connectivity  to  the  destination  node  d, 

representing  the  delay  of  node  j  passing  the  message  to  node  d,  TAonesC:y  (t)  is  about  node  fs 
belief  in  node  fs  honesty,  and  7’.“nse^'s  hness  (f)  is  about  node  fs  belief  in  node/s  unselfishness. 

The  reason  of  considering  both  e-connectivity  and  d-connectivity  trust  properties  in  our 
protocol  is  given  as  follows.  The  end-to-end  delay  from  node  fs  perspective  consists  of  the  e- 
connectivity  delay  from  node  i  to  node  j  (the  next  carrier)  and  the  d-connectivity  delay  from  node 
j  to  node  d  (the  destination  node).  Thus,  both  connectivity  metrics  are  needed.  Suppose  d- 
connectivity  is  only  trust  metric  for  connectivity.  If  node  /  encounters  node  j  and  discovers  that 
node  /’s  d-connectivity  delay  is  higher  than  another  node’s  (say  node  nr s)  d-connectivity  delay, 
then  node  i  will  decide  not  to  pass  the  message  to  node  j.  This  would  be  a  wrong  decision  in  case 
node  m's  e-connectivity  delay  +  d-connectivity  delay  actually  is  higher  than  node  j's  e- 
connectivity  delay  (which  is  zero  upon  encounter)  +  d-connectivity  delay.  Here  we  note  two 
special  cases:  (1)  if  node  j  is  the  currently  encountered  node,  then  connectlvlty  (f)  is  one, 
representing  that  the  e-connectivity  delay  is  zero;  (2)  if  node  d  is  the  currently  encountered  node, 
then  both  Tfj  connectivity  (f)  ancj  7^  connecti  ut y  ^  are  one^  represen^jng  tbat  both  the  e- 

connectivity  delay  and  d-connectivity  delay  are  zero. 

In  message  forwarding  in  DTNs.  two  most  important  performance  metrics  are  message 
delivery  ratio  and  delay.  The  rationale  of  using  these  four  trust  metrics  is  to  rank  nodes  such  that 
high  Tfj  connectlviCy  (t)  ancj  7^  connectivity  ^  represent  low  end-to-end  delay,  while  high 

T*°nesty  (t)  and  T™elfishness(t)  represent  high  delivery  ratio.  We  set  Tle-connectivity  (0), 
Td-t connectivity  (Q)>  ^honesty  (Q)  an(J  ?u nseifis  hness  (Q)  tQ  ignorance  (0.5)  since  initially  there  is 

no  information  exchanged  among  nodes. 

We  define  a  minimum  trust  threshold  Tmin  also  set  to  ignorance  (0.5)  such  that  if  Ti  t  (t)  > 
Tmin ,  node  /  w  ill  consider  node  j  as  “trustworthy''  (or  plainly  as  a  good  node)  at  time  t.  When 
node  i  encounters  another  node,  say  node  m,  it  exchanges  its  encounter  history  with  node  m. 


Moreover,  if  node  /  believes  that  node  m  is  a  good  node,  i.e.,  Tim(t  +  At)  >  Tmin ,  where  At  is 
the  encounter  period,  node  i  will  use  node  m  as  a  recommender  to  update  its  beliefs  toward  other 
nodes.  Specifically,  node  /'  will  update  its  trust  toward  node  /  upon  encountering  node  m  at  time  t 
fora  duration  of  At  as  follows: 

T*  (t  +  At)  =  /?!  Tdirect  •  * (t  +  At)  +  /?2  Tfjdirect '  x (t  +  At)  (2) 

Here  X  refers  to  a  trust  property  (e-connectivity,  d-connectivity,  honesty,  or  unselfishness) 
with: 

-  direct.  xrf  ,  =  f  ^,rUn£er  ^  +  At),  if  m  =  j  (3) 

lJ  c  j  l  rjco.i/ m*/ 

f  TiXm{t),if  m=  j  (4) 

Tindirect .  +  Af)  _  J  jX (t);  ^  m  *  y  and  m  (t  +  At)  <  Tmin 

(  (t  +  At)  x  T*J  (t  +  At),  i/  m  *  j  and  TLm  (t  +  At)  >  Tmi„ 

In  Equation  2,  is  a  weight  parameter  to  weigh  node  f  s  own  trust  assessment  tow'ard  node  / 
at  time  t  +  At,  i.e.,  “self-information,”  and  /?2  is  a  weight  parameter  to  weigh  indirect 
information  from  the  recommender,  i.e.,  “other-information.”  with  /?i  +  /?2  =  1. 

In  Equation  3  for  the  direct  trust  calculation  of  node  j,  if  the  new  encounter  (node  m)  is  node/ 
itself,  then  node  i  can  directly  evaluate  node  j.  We  use  7.  ^counte'  ^(t  +  At)  to  denote  the 
assessment  result  of  node  i  toward  node  m  in  trust  property  X  based  on  node  f  s  past  experiences 
with  node  m  up  to  time  t  +  At.  This  means  that  the  value  ofTle^counter  ,x (t  +  At)  is  assessed 
based  on  node  fs  direct  observations  to  node  m  collected  while  they  encountered  with  each  other 
(including  the  current  encounter)  over  the  time  period  [0,  t  +  At].  Later  in  Section  5.  we  will 
describe  how  this  can  be  obtained  for  each  trust  property  X.  If  the  new  encounter  is  not  node  j, 
then  there  is  no  new  direct  information  can  be  gained  about  node  /,  so  node  /  will  just  use  its  past 
trust  toward  node  j  obtained  at  time  t. 

In  Equation  4  for  the  indirect  trust  calculation  of  node/,  if  the  new  encounter  is  node  j  itself, 
then  there  is  no  indirect  recommendation  for  node  j,  so  node  /  will  just  use  its  past  trust  obtained 
at  time  t.  If  the  new  encounter  is  not  node/,  then  node  m  can  provide  its  recommendation  to  node 
i  for  evaluating  node  j,  if  node  /  considers  node  m  as  trustworthy,  i.e.,  Tlm(t  +  At)  >  Tmin  .  In 
this  case,  we  must  take  into  account  node  fs  belief  in  node  m  in  the  calculation  of 


^indirect ,  x ^  +  ^  yhis  m0(je|s  the  decay  0f  trust  as  trust  is  derived  from  a  distant  node  as 

indirect  information.  On  the  other  hand,  if  node  /  does  not  consider  node  m  as  a  good  node 
because  of  7jm(t  +  At)  <  Tmin ,  then  node  i  refuses  to  take  recommendations  from  node  m  about 
node  j,  and  will  just  use  its  past  trust  information  about  node  j  obtained  at  time  t.  The  policy  that 
recommendations  from  a  newly  encounter  node  are  accepted  only  if  the  newly  encountered  node 
is  considered  a  good  node  provides  robustness  against  bad-mouthing  or  good-mouthing  attacks. 

T[j(t)  in  Equation  1  can  be  used  by  node  /  (if  it  is  a  message  carrier)  to  decide,  upon 
encountering  node  m,  if  it  should  forward  the  message  to  node  m  with  the  intent  to  shorten  the 
message  delay  or  improve  the  message  delivery  ratio.  We  consider  a  ^-permissible  policy  in 
this  paper,  i.e.,  node  /  will  pass  the  message  to  node  m  if  Tim(t)  is  in  the  top  Q  percentile  among 
all  Tu(t)'s.  We  experiment  with  various  values  of  f2  to  trade  message  delivery  ratio  with 
message  latency. 

4.  Protocol  Resiliency 

Below  we  provide  a  formal  proof  that  our  trust  management  protocol  is  resilient  against 
malicious  attacks,  including  whitewashing  attacks  (a  bad  node  washing  away  its  bad  reputation 
by  gaining  high  trust  upon  encountering  with  another  node),  bad-mouthing  attacks  (a  bad  node 
providing  bad  recommendations  toward  a  good  node  to  ruin  its  reputation),  and  good-mouthing 
attacks  (a  bad  node  providing  good  recommendations  for  a  colluding  bad  node  to  raise  its 
reputation). 

4.1  Resiliency  to  Whitewashing  Attacks 

Definition  /:  A  bad  node,  say  node  m,  upon  encountering  node  i  at  time  t  for  an  encounter 
interval  At.  is  said  to  perform  a  whitewashing  attack  successfully  against  node  i  if  7jm(t)  < 
Tmin  and  Ti.mtt  +  At)  >  Tmin  . 

Lemma  1_:  Our  protocol  is  resilient  against  whitewashing  attacks. 

Proof:  When  node  i  encounters  node  m  at  time  t  for  a  duration  of  At.  according  to  our  protocol 
Tijn(t  +  At)  =  pxT*™ounter  (t  +  At)  +  p2Tlim{t).  of  which  Tlim(t)<Tmin  is  given  (in  the  if 
part)  and  T?Jfounter  (t  +  <  pmln  js  true  because  node  /  will  be  able  to  observe  node  m‘s  bad 

behavior  directly  based  on  node  f  s  past  experiences  with  node  tn  up  to  time  t  -I-  At.  including  the 


current  encounter.  Taking  the  fact  that  /?i  +  /?2  =  1*  we  obtain  Ti  m(t  +  At)  <  Tmin.  Thus,  it  is 
impossible  that  a  bad  node  can  successfully  perform  a  whitewashing  attack. 

4.2  Resiliency  to  Bad-Mouthing  Attacks 

Definition  2:  A  bad  node,  say  node  m ,  upon  encountering  node  i  at  time  t  for  an  encounter 
interval  At,  is  said  to  perform  a  bad-mouthing  attack  successfully  against  a  good  node,  say  node/, 
if  Tij (£)  >  Tmm  and  7^ (t  +  At)  <  Tmin . 

Lemma  2:  Our  protocol  is  resilient  against  bad-mouthing  attacks. 

Proof:  The  proof  hinges  on  proving  T,m(t  +  At)  <  Tmin  and  therefore  node  /  will  refuse  to  take 
recommendations  from  node  m  about  node  j.  Utilizing  the  proof  to  Lemma  1  and  the  fact 
that  Tim(t)  <  Tmin  is  true  (because  we  set  the  initial  trust  value  to  ignorance,  i.e..  Tlm{ 0)  = 
Tmin ,  making  it  impossible  for  a  bad  node  to  gain  trustworthy  status  at  time  t),  we  know  Ti  m(t  + 
At)  <  Tmin  is  true.  Consequently,  node  i  will  not  take  recommendations  from  node  m  about  node 
j.  According  to  our  protocol,  Tij(t  +  bt)-f3\Tij(jt)  +  (32Tj  j(t) .  This  leads  to  Ti;  (t  +  dt)  > 
Tmin  because  /?i  +  =  1  and  Ti;(t)  >  Tmin  is  given  (in  the  if  part).  Therefore,  it  is  impossible 

that  a  bad  node  can  successfully  perform  a  bad-mouthing  attack. 

4.3  Resiliency  to  Good-Mouthing  Attacks 

Definitipn  3:  A  bad  node,  say  node  m ,  upon  encountering  node  /  at  time  t  for  an  encounter 
interval  At.  is  said  to  perform  a  good-mouthing  attack  successfully  for  a  bad  node,  say  node  k , 
if  Tlk(t)  <  Tmin  and  TlJc(t  +  At)  >  Tmin. 

Lemma  3:  Our  protocol  is  resilient  against  good-mouthing  attacks 

Proof:  Following  the  proof  to  Lemma  1,  we  know  that  Tim(t  +  At)  <  Tmin  is  true.  Hence,  node 
/  refuses  to  take  recommendations  from  node  m  about  node  k  and  T^Ct  +  At)  + 

PlTijkit)  according  to  our  protocol.  This  leads  to  Ti  k(t  +  At)  <  Tmin  because  +  p2  =  1  and 
Tikit)  <Tmin  is  given  (in  the  if  part).  Therefore,  it  is  impossible  that  a  bad  node  can 
successfully  perform  a  good-mouthing  attack. 


5.  Performance  Model 


We  analyze  the  performance  of  the  proposed  trust-based  routing  protocol  for  DTN  message 
forwarding  by  a  probability  model  based  on  stoehastie  Petri  net  (SPN)  techniques  [4]  due  to  its 
ability  to  handle  a  large  number  of  states. 

5.1  SPN  Model  to  Yield  Ground  Truth 

We  develop  an  SPN  model  to  yield  dynamie  ground  truth  information  of  nodes  in  the 
example  DTN  described  in  Section  2.  The  SPN  model  is  shown  in  Figure  1.  The  SPN  model 
describes  a  node's  lifetime  in  the  presence  of  selfish  and  malicious  nodes.  It  is  used  to  obtain 
eaeh  node's  information  (e.g.,  connectivity,  honesty,  and  unselfishness)  and  to  derive  the  trust 
relationship  with  other  nodes  in  the  system. 

Without  loss  of  generality,  we  consider  a  square-shaped  operational  area  consisting  of  m*m 
sub-grid  areas  with  the  width  and  height  equal  to  the  radio  range  (R).  Initially  nodes  are 
randomly  distributed  over  the  operational  area  based  on  uniform  distribution.  A  node  randomly 
moves  to  one  of  four  loeations  in  four  directions  (i.e.,  north,  west,  south,  and  east)  in  accordance 
with  its  mobility  rate.  To  avoid  end-effeets,  movement  is  wrapped  around  (i.e..  a  torus  is 
assumed).  The  SPN  model  produces  the  probability  that  a  node,  say  node  /,  is  in  a  particular 
location  L  at  time  t.  This  information  along  w  ith  the  location  information  of  other  nodes  at  time  t 
(derived  from  these  nodes’  SPN  models)  provides  us  the  probability  of  two  nodes  encountering 
with  eaeh  other,  and  how  often  two  nodes  exchange  encounter  histories  to  update  7y  (t). 
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Figure  1:  SPN  Model. 

Below  we  explain  how  we  eonstruet  the  SPN  model  for  deseribing  a  node's  behavior  in 
terms  of  its  location,  energy,  honesty,  and  selfishness  status. 


Location:  Transition  T  LOCATION  is  triggered  when  the  node  moves  to  a  randomly 
selected  area  out  of  four  different  directions  from  its  current  location  with  the  rate  being 
calculated  as  a/R  based  on  its  speed  a  and  wireless  radio  range  R. 

Connectivity:  Connectivity  of  node  i  to  node  j  is  measured  by  the  time-averaged  probability 
that  node  /  and  node  j  are  within  one-hop  during  [0,  t  +  At].  This  can  be  obtained  by  knowledge 
of  location  probabilities  of  node  i  and  node  j  during  [0,  t  +  At]. 

Energy:  Place  Energy >  represents  the  current  energy  level  of  a  node.  An  initial  energy  level  of 
each  node  is  assigned  according  to  node  heterogeneity  information.  A  token  is  taken  out  when 
transition  TF.NERGY  fires.  The  transition  rate  of  TENERGY  is  adjusted  on  the  fly  based  on  a 
node's  state.  It  is  lower  when  a  node  is  selfish  to  save  energy;  it  is  higher  when  the  node  is 
compromised  so  that  it  performs  attacks  more  and  consumes  energy  more.  We  use  the  energy 
model  in  [3]  to  adjust  the  rate  to  consume  one  token  in  place  Energy  based  on  a  node’s  state. 

Honesty:  A  node  is  either  good  or  bad.  We  distinguish  a  bad  (or  compromised)  node  from  a 
good  node  by  placing  a  token  in  place  CN.  A  bad  node  can  perform  various  attacks  including 
white  washing,  good  mouthing  and  bad  mouthing  attacks,  thus  exhibiting  dishonest  behaviors. 
When  a  node  encounters  another  node,  it  will  perform  a  direct  trust  assessment  of  the 
encountered  node  in  the  honest  trust  property  based  on  specific  detection  mechanisms  devised 
for  detecting  dishonesty  (to  be  described  later). 

Selfishness:  Place  SN  represents  whether  a  node  is  selfish  or  not.  If  a  node  becomes  selfish,  a 
token  goes  to  SN  by  triggering  TSELFISH.  We  model  a  node’s  selfish  behavior  as  a  function  of 
its  remaining  energy.  Specifically,  the  transition  rate  to  T  SELFISH  is  given  by: 

rate(T_SELFISH)  =  ^Ere™m  1 

where  At  is  the  duration  between  two  encountering  events  over  which  a  node  mav  decide  to 
become  selfish.  The  form/(y)  =  ct-iy~El  follows  the  demand-pricing  relationship  in  Economics 
[I]  to  model  the  effect  of  its  argument  y  on  the  selfishness  behavior,  such  that  f(Eremam  ) 
models  the  behavior  that  a  node  with  a  higher  level  of  energy  is  less  likely  to  be  selfish. 
Similarly  a  selfish  node  may  become  unselfish  again  through  transition  T  REDEMP.  The 
redemption  rate  is  modeled  in  a  similar  way  as: 


(6) 


rate(T_REDEMP )  = 


9  (E consumed  ) 

At 


where  ,g(y)  =  a^y-*2  and  Econsumeci  is  the  amount  of  energy  consumed  as  given  by  Eq  — 
Eremain  and  At  is  the  encountering  interval  over  which  a  selfish  node  may  decide  to  become 
unselfish  again.  g(,Econsume )  models  the  behavior  that  a  node  with  a  lower  level  of  energy  will 
more  likely  stay  selfish  to  further  save  its  energy  considering  its  own  individual  benefit. 


5.2  Trust  Assessment 

Leveraging  the  SPN  model  described  which  yields  ground  truth  information  of  node  fs 
status,  we  can  calculate  TXj  (t  +  At)  as  follows.  In  practice,  Ttj  (t  +  At)  is  obtained  by  node  i  by 
following  the  protocol  execution  at  runtime.  The  computational  procedure  devised  below  is  to 
predict  7)*(t  +  At)  that  would  be  obtained  by  node  /.  Our  assertion  is  that  the  detection 
mechanisms  used  by  a  node  for  trust  assessment  of  property  A' of  an  encountered  node  will  be 
effective  and  fairly  accurate.  Thus,  f.e^counter  ■*(£  + At)  assessed  by  node  /  will  be  close  to 
ground  truth.  Consequently,  j',e^counte'  -*(£  +  At)  is  predicted  to  be  the  same  as  the  ground  truth 
status  of  node  m  in  trust  property  A",  as  provided  from  the  SPN  output.  Below  we  discuss  specific 
detection  mechanisms  used  by  node  /  to  assess  node  m  upon  encounter  to  satisfy  the  assertion. 

•  j^counter  ■  e-conneccivtty  At);  This  refers  t0  the  belief  of  node  /  about  its  connectivity  to 

node  m  based  on  node  fs  encountering  experiences.  The  specific  detection  mechanism  used 
is  counter-based.  That  is,  node  /  keeps  track  of  the  numbers  of  encounters  it  has  had  with  all 
other  nodes  in  the  DTN  up  to  time  t  +  At  and  computes  j^ounter  •  e-connectivny  ^  ^ 

by  the  ratio  of  the  number  of  encounters  between  node  /  and  node  m  to  the  maximum  number 
of  encounters  between  node  /  and  any  other  node  during  [0,  t  +  At], 

*  T^ounter  '  d~connectllUy  (f  q.  At);  This  refers  to  the  belief  of  node  /  about  the  connectivity 
between  node  m  and  node  d  based  on  node  fs  encountering  experiences.  The  specific 
detection  mechanism  used  is  also  counter-based.  It  can  be  computed  by  the  ratio  of  the 
number  of  encounters  between  node  m  and  node  d  to  the  maximum  number  of  encounters 
between  node  d  and  any  other  node  over  the  time  period  [0,  t  +  At]  all  based  on  node  fs 
observations.  Note  that  node  /  can  observe  node  m  encountering  node  d  only  if  both  node  m 
and  node  d  are  within  1-hop  range  of  node  /.  Thus,  by  consulting  its  encounter  history  with 


all  nodes,  node  /  will  be  able  to  calculate  T*™ounter  4-connectivity  (£  4.  At)  for  the 
connectivity  of  node  m  to  node  d. 

•  T.e™mnter  ■  l'ont'ty  q_  At):  refers  to  the  belief  of  node  /  that  node  m  is  honest  based  on 

direct  observation  experiences  with  node  m  during  encounters.  Since  a  compromised  node 
will  perform  attacks  and  exhibit  dishonest  behaviors,  the  specific  mechanisms  used  are 
anomaly  detection  or  intrusion  detection  techniques  [  1 8 J[  1 9].  Specifically,  node  /  monitors 
node  rrC s  dishonest  evidences  including  dishonest  trust  recommendation,  irregular  packet 
patterns,  and  abnormal  traffic  while  they  encountered  including  the  current  encounter.  Then 
it  computes  j^ounter  • honesty  q_  At)  by  the  ratio  of  the  number  of  bad  honesty  experiences 

to  the  total  number  of  honesty  experiences. 

•  j*™ounter  un5e,fts  /int>ss  _j_  At):  This  refers  to  the  belief  of  node  /'  that  node  m  is  willing  to 
deliver  messages.  In  traditional  MANETs,  a  node's  selfishness  can  be  detected  by  using 
snooping  and  overhearing  techniques.  However,  in  DTNs  messages  are  delivered  in  a  store- 
and-forward  fashion,  thus  snooping  and  overhearing  may  not  be  feasible.  Our  specific 
detection  mechanism  for  detecting  unselfishness  is  signature-based,  leveraging  the 
private/public  keys  for  message  authentication.  Specifically,  when  node  i  encounters  node  j 
and  passes  a  message  to  node  /,  if  node  j  is  not  selfish  it  will  forward  the  message  and 
acknowledge  node  /  with  the  same  message  signed  with  its  private  key.  Afterwards,  when 
node  /  and  node  m  encounter  each  other,  they  exchange  message  signatures  and  verify  each 
exchanged  message  signature  by  the  receiver’s  public  key.  Since  each  message  is  unique,  a 
bad  node  cannot  apply  replication  attacks.  An  unselfish  node  therefore  will  have  more 
verified  message  signatures  than  a  selfish  node.  Node  i  then  computes 
^encounter  ,  unself  is  “nes<:  ^  q.  At)  by  the  ratio  of  the  number  of  verified  message  signatures 

received  from  node  m  to  the  maximum  number  of  verified  message  signatures  received  from 
any  other  node. 

As  a  result  of  applying  the  above  detection  mechanisms  for  trust  property  X , 
TLe™ounter  ’  x (t  +  At)  obtained  by  node  /  would  be  close  to  the  ground  truth  status  of  node  m  at 
time  t  which  can  be  easily  obtained  from  the  SPN  model  output.  In  particular, 
7 .encounter  .honesty  _j_  ^f)  ;n  Equation  3  is  simply  equal  to  the  probability  that  place  CN  does 


not  contain  a  token  at  time  t  +  At,  and  j*™ounter  •  unself‘s  hness  ^  +  At)  |s  simply  equal  to  the 
probability  that  place  SN  does  not  contain  a  token  at  time  t  +  At,  both  of  which  can  be  computed 
easily  from  the  SPN  model  output.  Similarly,  j^counter  •  e  - connectivity  ^  ^  js  sjmpiy  eqUal 

to  the  time-averaged  probability  that  node  /  and  node  m  are  within  one-hop  during  [0,  t  +  At] 
and  7.e"counter  -  d-connectmty  ^  ^  js  eqUai  t0  the  time-averaged  probability  that  node  m  and 

node  d  are  within  one-hop  during  [ 0 ,  t  -I-  At],  both  of  which  can  be  obtained  by  utilizing  the  SPN 
model  output  regarding  the  node  location  probability.  Once  j^ounte’  v(t  +  At)  is  obtained  at 
each  encounter  time,  node  /  computes  T- *(t  +  At)  based  on  Equation  2,  and  subsequently, 
obtains  Ttj  (t  +  At)  based  on  Equation  1. 


6.  Results 


Table  1:  Default  Parameter  Values  Used. 


Para  m 

Value 

Pa  ram 

Value 

Param 

Value 

Param 

Value 

m*m 

8*8 

R 

250m 

Tmin 

0  5 

a 

[0,  2[  m  s 

«/ 

4 

a2 

0.5 

*1^2 

1.6 

0. 8:0.2 

Eo 

[12,  24]  hrs 

a 

90% 

At 

300  s 

;V 

20 

Below'  we  show  numerical  results  and  prov  ide  phy  sical  interpretation  of  the  results  obtained. 
Table  1  lists  the  default  parameter  values  used.  For  trust-based  routing,  we  set  wp  w2:  w3:  w4  = 
0.25: 0.25: 0.25: 0.25  for  e-connectivity:  d-connectivity:  honesty:  unselfishness,  while  for 
connectivity-based  routing,  we  set  wp  w2:  w3:  w4  =  0.5:  0.5:  0:  0.  We  setup  N  =  20  nodes  with 
vastly  different  initial  energy  levels  in  the  system  moving  randomly  in  a  8*8  operational  region 
w  ith  the  speed  of  each  node  in  the  range  of  [0,  2]  m/s,  and  with  each  area  covering  250  m  radio 
radius.  There  are  two  sets  of  nodes,  namely,  good  nodes  and  bad  nodes,  and  we  vary  the 
percentage  of  bad  nodes  to  test  their  effect  on  the  performance  of  our  protocol.  A  good  node  may 
become  selfish  to  save  energy  and  unselfish  again  after  redemption,  w  ith  the  selfish  rate  defined 
based  on  Equation  5  and  redemption  rate  defined  by  Equation  6.  The  initial  trust  level  is  set  to 
ignorance  (i.e.,  0.5)  for  all  trust  components  since  initially  nodes  do  not  know  each  other.  We 
also  set  Tmin  to  0.5  so  that  a  node  will  take  recommendations  from  a  newly  encountered  node 
only  when  its  trust  level  toward  the  newly  encountered  node  exceeds  ignorance. 

To  reveal  which  trust  component  might  have  a  more  dominant  effect,  we  show 
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node)  evaluating  node  j  randomly  picked.  Other  nodes  exhibit  similar  trends  and  thus  only  one 
set  of  results  is  shown.  Figure  2(a)  is  for  the  case  in  which  node  j  is  a  good  node.  We  see  that  all 
trust  components  exhibit  the  same  trend.  A  good  node  initially  picks  up  its  trustworthy  status 
(with  its  trust  level  greater  than  Tmin )  due  to  favorable  direct  evaluations  by  those  nodes  it 
encounters  and  interacts  with,  who  in  turn  pass  on  their  positive  recommendations  to  other  nodes 
they  encounter.  All  trust  components  after  their  respectively  maximum  values  then  decline  as 
time  progresses  because  malicious  negative  recommendations  from  bad  nodes  performing  bad- 
mouthing  attacks  gradually  pick  up  advantages  against  positive  recommendations  from  good 
nodes.  Among  all  trust  components,  the  honesty  trust  component  is  expected  to  contribute  the 
most  to  the  trustworthy  status  of  a  good  node.  This  is  reflected  in  Figure  2(a)  which  shows 
honesty  dominates  other  trust  components. 


(a)  Node  j  is  a  good  node. 


(b)  Node  j  is  a  bad  node. 


Figure  2:  Comparing  T*j(t)  as  a  Function  of  Time. 


Figure  2(b)  shows  T^connectivity  (t),  T*-connectivity  (t),  T^°nesty  (t)  and  T™elfts  hness  (t)  as  a 
function  of  time  for  the  case  in  which  node  j  is  a  bad  node.  Here  again  all  trust  components 
exhibit  the  same  trend.  However,  the  trust  values  decrease  monotonically  over  time.  Contrary  to 
a  good  node,  a  bad  node  never  has  any  chance  to  attain  trustworthy  status,  with  the  rapid  decline 
of  honesty  and  unselfishness  especially  contributing  to  a  bad  node’s  trust  decline.  The  result  that 
a  bad  node’s  status  is  always  untrustworthy  as  demonstrated  in  Figure  2(b)  substantiates  our 
claim  that  our  protocol  is  resilient  against  whitewashing,  bad-mouthing,  and  good-mouthing 
attacks  by  malicious  nodes. 


Next  we  consider  a  message  forwarding  scenario  in  which  in  each  run  we  randomly  pick  a 
source  node  s  and  a  destination  node  d.  The  source  and  destination  nodes  picked  are  always  good 
nodes.  There  is  only  a  single  copy  of  the  message  initially  given  to  node  s.  We  let  the  system  run 
for  30  min.  to  warm  up  the  system  and  start  the  message  forwarding  afterward  in  each  run. 
During  a  message-passing  run,  every  node  /  updates  its  Tt  j  (t)  for  all  j’s  based  on  Equation  1.  In 
particular,  the  current  message  carrier  uses  7y  (t)  to  judge  if  it  should  pass  the  message  to  a  node 
it  encounters  at  time  t.  If  the  message  carrier  is  malicious,  the  message  is  dropped  (a  weak 
attack).  If  the  message  carrier  is  selfish,  the  message  delivery  continues  with  50%  of  the  chance. 
A  message  delivery  run  is  completed  when  the  message  is  delivered  to  the  destination  node,  or 
the  message  is  lost  before  it  reaches  the  destination  node.  Data  are  collected  for  1500  runs  from 
which  the  message  delivery  ratio,  delay  and  overhead  performance  measurements  are  calculated. 

We  compare  trust-based  routing  and  connectivity-based  routing  against  two  baseline  routing 
protocols,  namely,  epidemic  routing  [13]  and  PROPHET  [18],  in  terms  of  message  delivery  ratio, 
delay  and  overhead  performance  metrics.  Assuming  sufficient  buffer  space,  epidemic  routing 
achieves  the  best  performance  in  delivery  ratio  and  message  delay  at  the  expense  of  the  worst 
performance  in  delivery  overhead  (in  the  number  of  message  copies  generated).  Thus,  epidemic 
routing  provides  the  upper  bound  performance  in  delivery  ratio  and  message  delay,  and  the  lower 
bound  performance  in  delivery  overhead  against  which  trust-based  routing  can  be  compared.  We 
use  PROPHET  as  another  baseline  routing  protocol  to  demonstrate  the  effectiveness  of  trust- 
based  routing  protocols  in  all  three  performance  metrics. 

In  epidemic  routing  [13],  a  node  forwards  a  copy  of  the  message  to  any  node  it  encounters. 
Thus,  a  node  consumes  more  energy  because  it  propagates  many  redundant  message  copies  to 
the  network.  Compared  with  trust-based  routing  and  connectivity-based  routing,  however, 
epidemic  routing  saves  energy  because  it  does  not  have  the  overhead  of  trust  management.  When 
using  the  SPN  model  to  describe  a  node  executing  epidemic  routing,  we  adjust  the  energy 
consumption  rate  to  transition  T_ENERGY  in  the  “Energy”  subnet  of  the  SPN  model  to  account 
for  a  different  energy  consumption  rate. 

In  PROPHET  [18],  when  two  nodes  encounter,  they  exchange  a  delivery  predictability 
v  ector.  If  the  delivery  predictability  of  the  current  message  carrier  is  low  er  than  that  of  the  newly 
encountered  node,  then  the  message  is  passed  from  the  current  message  carrier  to  the  newly 
encountered  node  as  the  next  carrier.  The  delivery  predictability  is  a  probabilistic  metric 


indicating  the  encounter  frequency  between  two  nodes  and  is  updated  when  two  nodes  encounter 
each  other.  It  is  similar  to  the  d-connectivity  trust  property  used  in  our  protocols  in  predicting  the 
delay  of  the  next  carrier  encountering  the  destination  node.  For  ease  of  disposition,  we  will 
loosely  refer  delivery  predictability  as  d-connectivity.  PROPHET  is  a  multi-copy  routing 
protocol  by  which  each  node  still  keeps  its  message  copy  for  future  transmission  after  it  sends 
the  message  to  a  carrier.  For  fair  comparison,  we  consider  a  version  of  PROPEHT.  called 
PROPHET_S.  where  each  node  removes  its  message  copy  after  forwarding  it  to  another  node 
and  will  not  perform  any  more  message  forwarding.  The  energy  consumption  model  of  each 
node  in  PROPHET  S  is  similar  to  trust-based  routing  protocols  considering  only  d-connectivity. 
Therefore,  in  PROPHET  S  the  energy  consumption  rate  to  transition  T  ENERGY  in  the  SPN 
model  remains  the  same  as  in  our  trust-based  routing  protocols. 

Figure  3  shows  the  message  delivery  ratio  as  a  function  of  the  percentage  of  compromised 
and  selfish  nodes  in  the  DTN  for  trust-based  and  connectivity-based  routing  protocols.  For 
performance  comparison,  we  also  show  the  delivery  ratio  obtained  from  epidemic  routing  and 
PROPHET  S.  Here  we  see  that  trust-based  routing  outperforms  connectivity-based  routing  in 
delivery  ratio  and  its  performance  approaches  the  maximum  achievable  performance  obtainable 
from  epidemic  routing.  This  is  attributed  to  the  ability  of  trust-based  protocols  being  able  to 
differentiate  trustworthy  nodes  from  selfish  and  bad  nodes  and  select  trustworthy  nodes  to  relay 
the  message.  The  result  demonstrates  the  effectiveness  of  incorporating  social  trust  into  the 
decision  making  process  for  DTN  message  routing.  Among  all  protocols,  PROPHET  S  performs 
the  worst  in  message  delivery  ratio.  In  particular.  PROPHET  S  is  significantly  worse  than  trust- 
based  routing  because  it  does  not  consider  honesty  and  unselfishness  for  routing  decisions. 
PROPHET  S  is  also  considerably  worse  than  connectivity-based  routing  because  it  considers 
only  d-connectivity  instead  of  both  e-connectivity  and  d-connectivity,  and  the  message  is  passed 
to  a  newly  encountered  node  as  long  as  the  new  encounter’s  d-connectivity  is  better  than  that  of 
the  current  message  carrier.  This  results  in  a  longer  route  from  the  source  node  to  the  destination 
node  with  a  higher  chance  to  run  into  a  malicious  node  or  selfish  node  to  drop  the  message. 


Figure  4:  Performance  Comparison  in  Message  Delay. 

Figure  4  shows  the  average  delay  experienced  per  message  considering  only  those  messages 
delivered  successfully.  Here  we  first  note  that  in  general  connectivity-based  routing  performs 
better  than  trust-based  routing  because  connectivity-based  protocols  use  the  delay  to  encounter 
the  next  message  carrier  (e-connectivity)  and  the  delay  for  the  next  message  carrier  to  encounter 
the  destination  node  (d-connectivity)  as  the  criteria  to  select  a  message  carrier.  The  result 
suggests  that  if  delay  is  of  primary  concern,  we  should  set  the  weights  associated  with  e- 
connectivity  and  d-connectivity  (QoS  trust  metrics)  higher  than  those  for  honesty  and 
unselfishness  (social  trust  metrics),  as  connectivity-based  routing  does  (by  setting 
Wx :  VV2 :  W3 :  w4  =  0.5:  0.5:  0: 0).  This  will  have  the  effect  of  trading  off  high  delivery  ratio  for 
low  delay.  Figure  4  also  shows  that  connectivity-based  routing  approaches  the  ideal  performance 
obtainable  from  epidemic  routing  as  the  percentage  of  malicious  and  selfish  nodes  increases.  We 
also  observe  that  in  general  PROPHET  S,  being  a  protocol  using  d-connectivity  for  routing, 
performs  better  than  trust-based  routing  but  worse  than  connectivity-based  routing.  The  reason 


that  PROPHET_S  performs  worse  than  connectivity-based  routing  is  that  it  only  compares  d- 
connectivity  values  of  two  encountering  nodes  for  routing  decisions,  which  is  not  effective  in 
minimizing  the  end-to-end  delay.  We  note  that  this  effect  is  especially  pronounced  when  the 
population  of  malicious  and  selfish  nodes  is  low,  since  in  this  condition  PROPHET  S  even 
performs  worse  than  trust-based  routing  which  considers  both  e-connectivity  and  d-connectivity 
as  part  of  its  trust  composition.  A  main  reason  for  this  performance  deterioration  of 
PROPHET  S  in  message  delay  when  the  population  of  malicious  and  selfish  nodes  is  low  is  that 
in  this  condition  most  new  encounters  would  be  good  nodes,  so  the  effect  of  connectivity 
dominates  the  effect  of  node  maliciousness/selfishness  for  deciding  the  next  message  carrier,  and 
PROPHET  S  comparing  d-connectivity  values  of  two  encountering  nodes  for  routing  decisions 
is  not  effective  in  minimizing  the  end-to-end  delay. 


Figure  5:  Performance  Comparison  in  Message  Overhead. 


Figure  5  compares  the  three  protocols  in  message  overhead  measured  by  the  number  of 
copies  forwarded  to  reach  the  destination  node  for  those  messages  successfully  delivered.  We  see 
that  trust-based  protocols  perform  comparably  with  connectivity-based  protocols  and  both 
protocols  outperform  epidemic  routing  and  PROPHET  S  considerably  in  message  overhead.  The 
reason  that  trust-based  protocols  use  slightly  more  message  copies  than  connectivity-based 
routing  protocols  is  that  the  path  being  selected  by  trust-based  protocols  may  not  be  the  most 
direct  route  in  order  to  avoid  selfish  or  malicious  nodes.  The  reason  that  both  trust-based  routing 
and  connectivity-based  routing  outperform  PROPHET  S,  especially  when  the  population  of 
malicious  and  selfish  nodes  is  low,  is  that  as  explained  earlier  PROPHET_S  tends  to  generate  a 
longer  route,  thus  resulting  in  more  message  copies  being  propagated. 


In  summary,  from  Figures  3-5,  we  see  that  trust-based  protocols  can  effectively  trade  off 
message  delay  (Figure  4)  for  a  significant  gain  in  message  delivery  ratio  (Figure  3)  and  message 
overhead  (Figure  5)  over  connectivity-based  routing,  epidemic  routing,  and  PROPHET  S. 


Figure  6:  Effect  of  /h'-fli  on  Delivery  Ratio  of  Trust-based  Routing. 

By  comparing  the  performance  of  trust-based  routing  (wj:  w'2:  wy  vv4  =  0.25:0.25:0.25:0.25) 
and  connectivity-based  routing  (Hq:  wq:  wy  w'4  =  0.5:0. 5:0:0),  we  have  demonstrated  the  effect  of 
parameters  Hq:  wq:  wq:  w4  on  system  performance.  Figure  6  investigates  the  effect  of  fiy./h,  on 
performance  of  trust-based  protocols  with  fty.fii  varying  from  0. 5:0.5  to  0.9:0. 1 .  We  observe  that 
as  fiy.fii  increases  (using  a  higher  weight  on  direct  trust),  the  message  delivery  ratio  increases  if 
the  population  of  malicious/selfish  nodes  is  low;  otherwise,  the  delivery  ratio  decreases.  Phis 
result  means  that  when  the  population  of  malieious/selfish  nodes  is  low,  one  should  use  a  higher 
ratio  of  /fi:/?2  to  improve  the  protocol  performance.  We  attribute  this  to  the  fact  that  when  the 
population  of  malicious/selfish  nodes  is  low,  it  is  easy  for  any  newly  encountered  node  to  qualify 
as  a  reeommender  and  provide  a  trust  recommendation  toward  all  other  nodes  in  the  DTN. 
However,  because  of  trust  decay  of  indirect  recommendations,  i.e.,  due  to  the  product  term  in 
Equation  4,  the  indirect  trust  value  received  will  likely  decrease.  Consequently,  a  good  node  may 
unnecessarily  underestimate  the  trust  values  of  other  good  nodes  in  the  system.  To  avoid  this,  it 
is  better  to  place  a  higher  weight  on  direct  trust  if  there  are  a  lot  of  good  nodes  around  to  serve  as 
recommenders.  Here,  we  note  that  when  given  knowledge  of  the  percentage  of  malicious  and 


selfish  nodes,  the  sensitivity  analysis  performed  above  helps  identify  the  best  ratio  of  to 
maximize  the  protocol  performance. 

7.  Conclusion 

In  this  paper,  we  have  proposed  and  analyzed  a  class  of  trust-based  routing  protocols  in 
delay  tolerant  networks.  The  most  salient  feature  of  our  protocol  is  that  we  consider  not  only 
connectivity  (QoS  trust)  but  also  honesty  and  unselfishness  (social  trust)  properties  into  a 
composite  trust  metric  for  decision  making  in  DTN  routing  dynamically.  We  formally  proved 
that  our  protocol  is  resilient  against  whitewashing,  bad-mouthing,  and  good-mouthing  attacks  by 
malicious  nodes.  We  further  substantiated  the  claim  with  numerical  results  demonstrating  that  a 
malicious  node  will  never  attain  trustworthy  status.  Our  performance  analysis  results 
demonstrate  that  by  properly  selecting  weights  associated  with  QoS  and  social  trust  metrics  for 
trust  evaluation,  our  trust  management  protocols  can  achieve  the  ideal  performance  level  in 
delivery  ratio  and  delay  obtainable  by  epidemic  routing,  especially  as  the  percentage  of 
malicious  and  selfish  nodes  increases.  In  particular,  trust-based  protocols  that  consider  both 
social  and  QoS  trust  can  effectively  trade  off  message  delay  for  a  significant  gain  in  message 
delivery  ratio  and  message  overhead  over  connectivity-based  routing,  epidemic  routing,  and 
PROPHET  routing  protocols. 

In  the  future,  we  plan  to  investigate  other  forms  of  message  passing  such  as  multi-copy 
message  forwarding  and  other  forms  of  attacks  by  malicious  nodes  such  as  jamming,  forgery, 
and  DoS  attacks.  We  also  plan  to  consider  other  trust  metrics  such  as  technical  competence, 
betweenness  centrality,  similarity,  and  social  ties  (strength)  [6]. 
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